/*
 * The contents of this file are subject to the terms of the Common Development and
 * Distribution License (the License). You may not use this file except in compliance with the
 * License.
 *
 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
 * specific language governing permission and limitations under the License.
 *
 * When distributing Covered Software, include this CDDL Header Notice in each file and include
 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
 * Header, with the fields enclosed by brackets [] replaced by your own identifying
 * information: "Portions Copyrighted [year] [name of copyright owner]".
 *
 * Copyright 2014-2015 ForgeRock AS. All rights reserved.
 */

package org.forgerock.openam.shared.sts;

import javax.xml.namespace.QName;

/**
 * Defines some constants shared between the openam-sts module and the sts ViewBean/Model in openam-console.
 */
public final class SharedSTSConstants {

    private SharedSTSConstants() {
    }

    /**
     * The name of the json field in the json rest-sts publish invocation that references the field which allows the
     * marshalling logic in the {Rest|Soap}STSPublishServiceRequestHandler to distinguish between programmatic
     * invocations via the client stk classes, which will publish with state generated by calling toJson() on an
     * instance of the {Rest|Soap}STSInstanceConfig class, and the {Rest|Soap}SecurityTokenServiceViewBean, which
     * will publish with state harvested from the ViewBean property sheet, and will thus be in the format of
     * Map<String, Set<String>>.
     */
    public static final String STS_PUBLISH_INVOCATION_CONTEXT = "invocation_context";

    /**
     * Used as the value for the STS_PUBLISH_INVOCATION_CONTEXT key for invocations to the rest sts publish service
     * issued by the RestSecurityTokenServiceViewBean.
     */
    public static final String STS_PUBLISH_INVOCATION_CONTEXT_VIEW_BEAN = "invocation_context_view_bean";

    /**
     * Used as the key to the JsonValue corresponding to a wrapped Map<String, Set<String>> or the output of
     * {Rest|Soap}STSInstanceConfig#toJson(), depending upon the invocation context.
     */
    public static final String STS_PUBLISH_INSTANCE_STATE = "instance_state";

    /**
     * This field referenced in RestDeploymentConfig.DEPLOYMENT_REALM. It is the name of the key of the json field
     * referencing the realm in which the rest instance is deployed, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String DEPLOYMENT_REALM = "deployment-realm";

    /**
     * This field referenced in OpenIdConnectTokenConfig.ISSUER. It is the name of the key of the json field
     * referencing the id of the OIDC token issuer, which also matches the name of the AttributeSchema element
     * defined in restSTS.xml.
     */
    public static final String OIDC_ISSUER = "oidc-issuer";

    /**
     * This field referenced in OpenIdConnectTokenConfig.TOKEN_LIFETIME. It is the name of the key of the json field
     * referencing the token lifetime of issued oidc tokens, which also matches the name of the AttributeSchema element
     * defined in restSTS.xml.
     */
    public static final String OIDC_TOKEN_LIFETIME = "oidc-token-lifetime-seconds";

    /**
     * This field referenced in OpenIdConnectTokenConfig.CLIENT_SECRET. It is the name of the key of the json field
     * referencing the secret used as HMAC signing key, which also matches the name of the AttributeSchema element
     * defined in restSTS.xml.
     */
    public static final String OIDC_CLIENT_SECRET = "oidc-client-secret";

    /**
     * This field referenced in OpenIdConnectTokenConfig.KEYSTORE_LOCATION. It is the name of the key of the json
     * field referencing the keystore location, which also matches the name of the AttributeSchema element defined
     * in restSTS.xml.
     */
    public static final String OIDC_KEYSTORE_LOCATION = "oidc-keystore-location";

    /**
     * This field referenced in OpenIdConnectTokenConfig.KEYSTORE_PASSWORD. It is the name of the key of the json
     * field referencing the keystore password, which also matches the name of the AttributeSchema element defined
     * in restSTS.xml.
     */
    public static final String OIDC_KEYSTORE_PASSWORD = "oidc-keystore-password";

    /**
     * This field referenced in OpenIdConnectTokenConfig.SIGNATURE_KEY_ALIAS. It is the name of the key of the json
     * field referencing the keystore signature key alias, which also matches the name of the AttributeSchema element
     * defined in restSTS.xml.
     */
    public static final String OIDC_SIGNATURE_KEY_ALIAS = "oidc-signature-key-alias";

    /**
     * This field referenced in OpenIdConnectTokenConfig.SIGNATURE_KEY_PASSWORD. It is the name of the key of the
     * json field referencing the keystore singature key password, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String OIDC_SIGNATURE_KEY_PASSWORD = "oidc-signature-key-password";

    /**
     * This field referenced in OpenIdConnectTokenConfig.SIGNATURE_ALGORITHM. It is the name of the key of the json
     * field referencing the signature algorithm, which also matches the name of the AttributeSchema element defined
     * in restSTS.xml.
     */
    public static final String OIDC_SIGNATURE_ALGORITHM = "oidc-signature-algorithm";

    /**
     * This field referenced in OpenIdConnectTokenConfig.CLAIM_MAP. It is the name of the key of the json field
     * referencing the claim map, which also matches the name of the AttributeSchema element defined in restSTS.xml.
     */
    public static final String OIDC_CLAIM_MAP = "oidc-claim-map";

    /**
     * This field referenced in OpenIdConnectTokenConfig.AUDIENCE. It is the name of the key of the json field
     * referencing the audience of issued OIDC tokens, which also matches the name of the AttributeSchema element
     * defined in restSTS.xml.
     */
    public static final String OIDC_AUDIENCE = "oidc-audience";

    /**
     * This field referenced in SAML2Config.TOKEN_LIFETIME. It is the name of the key of the json field referencing
     * the token lifetime of issued saml2 assertions, which also matches the name of the AttributeSchema element
     * defined in restSTS.xml.
     */
    public static final String SAML2_TOKEN_LIFETIME = "saml2-token-lifetime-seconds";

    /**
     * This field referenced in SAML2Config.SIGN_ASSERTION. It is the name of the key of the json field referencing
     * whether the issued assertion should be signed, which also matches the name of the AttributeSchema element
     * defined in restSTS.xml.
     */
    public static final String SAML2_SIGN_ASSERTION = "saml2-sign-assertion";

    /**
     * This field referenced in SAML2Config.ENCRYPT_NAME_ID. It is the name of the key of the json field referencing
     * whether the issued assertion should have its NameID encrypted, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String SAML2_ENCRYPT_NAME_ID = "saml2-encrypt-nameid";

    /**
     * This field referenced in SAML2Config.ENCRYPT_ATTRIBUTES. It is the name of the key of the json field referencing
     * whether the issued assertion should have its Attributes encrypted, which also matches the name of the
     * AttributeSchema element defined in restSTS.xml.
     */
    public static final String SAML2_ENCRYPT_ATTRIBUTES = "saml2-encrypt-attributes";

    /**
     * This field referenced in SAML2Config.ENCRYPT_ASSERTION. It is the name of the key of the json field referencing
     * whether the issued assertion should be encrypted, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String SAML2_ENCRYPT_ASSERTION = "saml2-encrypt-assertion";

    /**
     * This field referenced in SAML2Config.ENCRYPTION_ALGORITHM. It is the name of the key of the json field
     * referencing the type of encryption algorithm, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String SAML2_ENCRYPTION_ALGORITHM = "saml2-encryption-algorithm";

    /**
     * This field referenced in SAML2Config.ENCRYPTION_ALGORITHM_STRENGTH. It is the name of the key of the json field
     * referencing the strength of the encryption algorithm, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String SAML2_ENCRYPTION_ALGORITHM_STRENGTH = "saml2-encryption-algorithm-strength";

    /**
     * This field referenced in SAML2Config.KEYSTORE_FILE_NAME. It is the name of the key of the json field referencing
     * the keystore location for keys used to sign and encrypt SAML assertions, which also matches the name of the
     * AttributeSchema element defined in restSTS.xml.
     */
    public static final String SAML2_KEYSTORE_FILE_NAME = "saml2-keystore-filename";

    /**
     * This field referenced in SAML2Config.KEYSTORE_PASSWORD. It is the name of the key of the json field referencing
     * the keystore password, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String SAML2_KEYSTORE_PASSWORD = "saml2-keystore-password";

    /**
     * This field referenced in SAML2Config.SIGNATURE_KEY_ALIAS. It is the name of the key of the json field referencing
     * the signature key alias, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String SAML2_SIGNATURE_KEY_ALIAS = "saml2-signature-key-alias";

    /**
     * This field referenced in SAML2Config.SIGNATURE_KEY_PASSWORD. It is the name of the key of the json field
     * referencing the signature key password, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String SAML2_SIGNATURE_KEY_PASSWORD = "saml2-signature-key-password";

    /**
     * This field referenced in SAML2Config.SP_ENTITY_ID. It is the name of the key of the json field referencing
     * the entity id of the SP for whom generated assertions are intended, which also matches the name of the
     * AttributeSchema element defined in restSTS.xml
     */
    public static final String SAML2_SP_ENTITY_ID = "saml2-sp-entity-id";

    /**
     * This field referenced in SAML2Config.SP_ACS_URL. It is the name of the key of the json field referencing
     * the url of the SP's assertion consumer service, which is required when issuing bearer assertions. Also matches
     * the name of the AttributeSchema element defined in restSTS.xml.
     */
    public static final String SAML2_SP_ACS_URL = "saml2-sp-acs-url";

    /**
     * This field referenced in SAML2Config.ENCRYPTION_KEY_ALIAS. It is the name of the key of the json field
     * referencing the public key of the SP intented to consume issued assertions, which also matches the name of the
     * AttributeSchema element defined in restSTS.xml.
     */
    public static final String SAML2_ENCRYPTION_KEY_ALIAS = "saml2-encryption-key-alias";

    /**
     * This field referenced in SAML2Config.ATTRIBUTE_MAP. It is the name of the key of the json field referencing
     * the map of saml2 attributes, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String SAML2_ATTRIBUTE_MAP = "saml2-attribute-map";

    /**
     * This field referenced in RestDeploymentConfig.URI_ELEMENT. It is the name of the key of the json field
     * referencing the realm-relative url element where a published rest instance is to be exposed, which also matches
     * the name of the AttributeSchema element defined in restSTS.xml.
     */
    public static final String DEPLOYMENT_URL_ELEMENT = "deployment-url-element";

    /**
     * If a rest-sts instance is configured to support a token transformation with an x509 token as an input token
     * type, the instance must be invoked via a two-way TLS exchange (i.e. where the client presents their certificate).
     * If OpenAM is deployed behind a tls-offloading engine, the client certificate won't be set as a HttpServletRequest
     * attribute referenced by the jakarta.servlet.request.X509Certificate key, but rather the rest sts instance must be
     * configured with the name of the http header where the tls-offloading engine will store the client certificate
     * prior to invoking OpenAM.
     */
    public static final String OFFLOADED_TWO_WAY_TLS_HEADER_KEY = "deployment-offloaded-two-way-tls-header-key";

    /**
     * If a rest-sts instance is configured to support a token transformation with an x509 token as an input token
     * type, the instance must be invoked via a two-way TLS exchange (i.e. where the client presents their certificate).
     * If OpenAM is deployed behind a tls-offloading engine, the client certificate won't be set as a HttpServletRequest
     * attribute referenced by the jakarta.servlet.request.X509Certificate key, but rather the rest sts instance must be
     * configured with the name of the http header where the tls-offloading engine will store the client certificate
     * prior to invoking OpenAM. The rest-sts instance will undertake the further check to determine if the ip address
     * invoking the rest-sts corresponds to the set of IP-addresses corresponding to the TLS-offload-engine hosts.
     */
    public static final String TLS_OFFLOAD_ENGINE_HOSTS = "deployment-tls-offload-engine-hosts";

    /**
     * This field referenced in SAML2Config.ISSUER_NAME. It is the name of the key of the json field referencing
     * the IdP id of the SAML2 token issuer, which also matches the name of the AttributeSchema element defined in
     * restSTS.xml.
     */
    public static final String ISSUER_NAME = "issuer-name";

    /**
     * This field referenced in RestSTSInstanceConfig.SUPPORTED_TOKEN_TRANSFORMS. It is the name of the key of the
     * json field referencing the set of token transformations, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String SUPPORTED_TOKEN_TRANSFORMS = "supported-token-transforms";

    /**
     * This field referenced in RestSTSInstanceConfig.CUSTOM_TOKEN_PROVIDERS It is the name of the key of the json
     * field referencing the set of custom token providers, which also matches the name of the AttributeSchema element
     * defined in restSTS.xml.
     */
    public static final String CUSTOM_TOKEN_PROVIDERS = "custom-token-providers";

    /**
     * This field referenced in RestSTSInstanceConfig.CUSTOM_TOKEN_VALIDATORS It is the name of the key of the json
     * field referencing the set of custom token validators, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String CUSTOM_TOKEN_VALIDATORS = "custom-token-validators";

    /**
     * This field referenced in RestSTSInstanceConfig.CUSTOM_TOKEN_TRANSFORMS It is the name of the key of the json
     * field referencing the set of custom token translations, which also matches the name of the AttributeSchema
     * element defined in restSTS.xml.
     */
    public static final String CUSTOM_TOKEN_TRANSFORMS = "custom-token-transforms";

    /**
     * The forward slash character.
     */
    public static final String FORWARD_SLASH = "/";

    /**
     * The url element at which the rest publish service is exposed. Corresponds to the entry in web.xml
     * defining the servlet-mapping for the sts-publish servlet.
     */
    public static final String REST_PUBLISH_SERVICE_URL_ELEMENT = "/sts-publish/rest";

    /**
     * The url element at which the soap publish service is exposed. Corresponds to the entry in web.xml
     * defining the servlet-mapping for the sts-publish servlet.
     */
    public static final String SOAP_PUBLISH_SERVICE_URL_ELEMENT = "/sts-publish/soap";

    /**
     * The url constituent, appended to the REST_PUBLISH_SERVICE_URL_ELEMENT, which will trigger a POST to the
     * rest-sts-publish crest service to create a new rest sts instance.
     */
    public static final String PUBLISH_SERVICE_CREATE_ACTION_URL_ELEMENT = "?_action=create";

    /**
     * The HTTP content type header name.
     */
    public static final String CONTENT_TYPE = "Content-Type";

    /**
     * The JSON HTTP content type header value.
     */
    public static final String APPLICATION_JSON = "application/json";

    /**
     * The name of the CREST header identifying the version of a targeted service.
     */
    public static final String CREST_VERSION_HEADER_KEY = "Accept-API-Version";

    /**
     * Name of configuration key referencing a custom wsdl file.
     */
    public static final String CUSTOM_WSDL_LOCATION = "deployment-custom-wsdl-location";

    /**
     * Name of configuration key referencing a custom service name specified in a custom wsdl file.
     */
    public static final String CUSTOM_SERVICE_QNAME = "deployment-custom-service-name";

    /**
     * Name of configuration key referencing a custom service port specified in a custom wsdl file.
     */
    public static final String CUSTOM_PORT_QNAME = "deployment-custom-service-port";

    /**
     * Name of configuration key referencing the type of SupportingToken specified in the SecurityPolicy bindings
     * protecting a soap-sts instance.
     */
    public static final String SECURITY_POLICY_VALIDATED_TOKEN_CONFIG = "security-policy-validated-token-config";

    /**
     * Name of configuration key referencing the name of the service defined in the wsdl which should be exposed.
     */
    public static final String SERVICE_QNAME = "deployment-service-name";

    /**
     * Name of configuration key referencing the name of the port defined in the wsdl which should be exposed.
     */
    public static final String PORT_QNAME = "deployment-service-port";

    /**
     * Name of configuration key referencing the wsdl location.
     */
    public static final String WSDL_LOCATION = "deployment-wsdl-location";

    /**
     * Name of configuration key referencing the url of the OpenAM deployment.
     */
    public static final String AM_DEPLOYMENT_URL = "deployment-am-url";

    /**
     * One of the possible selections defined in propertySoapSecurityTokenService.xml, under the
     * deployment-wsdl-location property, which allows the user to indicate that they wish to specify a custom wsdl
     * location.
     */
    public static final String CUSTOM_WSDL_FILE_INDICATOR = "custom_wsdl_file";

    /**
    The namespace defined by the WS-Trust specification.
     */
    public static final String WS_TRUST_NAMESPACE = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/";

    /**
     * The name of the sts service in all of the standard wsdl definitions.
     */
    public static final QName STANDARD_STS_SERVICE_QNAME = new QName(WS_TRUST_NAMESPACE, "sts_service");

    /**
     * The name of the sts service port in all of the standard wsdl definitions.
     */
    public static final QName STANDARD_STS_PORT_QNAME = new QName(WS_TRUST_NAMESPACE, "sts_service_port");

    /**
     * Name of a property defined in propertySoapSecurityTokenService.xml and soapSTS.xml which indicates whether
     * the soap-sts instance will plug-in token validators for ActAs/OnBehalfOf elements included in
     * RequestSecurityToken invocations.
     */
    public static final String DELEGATION_RELATIONSHIP_SUPPORTED = "delegation-relationship-supported";

    /**
     * Corresponds to entries in propertySoapSecurityTokenService.xml and soapSTS.xml which indicate which tokens can be
     * included as ActAs/OnBehalfOf elements in a RST.
     */
    public static final String DELEGATION_TOKEN_VALIDATORS = "delegation-validated-token-types";

    /**
     * Corresponds to entries in propertySoapSecurityTokenService.xml and soapSTS.xml which specify custom
     * TokenDelegationHandler implementations which will validate token elements included as ActAs/OnBehalfOf elements
     * in a RST.
     */
    public static final String CUSTOM_DELEGATION_TOKEN_HANDLERS = "delegation-custom-token-handlers";

    /**
     * Name of keystore which stores the password encryption key for soap-sts deployments.
     */
    public static final String AM_INTERNAL_SOAP_STS_KEYSTORE = "am_soap_sts.jks";

    /**
     * The type of keystore used internally by the soap-sts.
     */
    public static final String AM_INTERNAL_SOAP_STS_KEYSTORE_TYPE = "JCEKS";

    /**
     * Alias for the soap-sts password encryption key.
     */
    public static final String AM_INTERNAL_PEK_ALIAS = "soap_sts_pek";

    /**
     * The soap-sts internal keystore pw.
     */
    public static final String AM_INTERNAL_SOAP_STS_KEYSTORE_PW = "AQICcQXJAVayPq6zMlamHMDZD0Q4kgtX9wgd";
}
